Kibana logs out after opening SIEM page

Upgrade from 6.x to 7.3.2. Everything works except the SIEM tab. When ever I go to the SIEM tab, I get logged out and redirected to the login page. I’m not using and proxy in front, so thats not the problem.

Elasticsearch/Kibana version: 7.3.2

The logs output this error.

Oct 29 11:19:52 PRESC01 kibana[92260]: { Error: Not Found
Oct 29 11:19:52 PRESC01 kibana[92260]: at handler (/usr/share/kibana/src/legacy/server/http/index.js:113:29)
Oct 29 11:19:52 PRESC01 kibana[92260]: at module.exports.internals.Manager.execute (/usr/share/kibana/node_modules/hapi/lib/toolkit.js:35:106)
Oct 29 11:19:52 PRESC01 kibana[92260]: at Object.internals.handler (/usr/share/kibana/node_modules/hapi/lib/handler.js:50:48)
Oct 29 11:19:52 PRESC01 kibana[92260]: at exports.execute (/usr/share/kibana/node_modules/hapi/lib/handler.js:35:36)
Oct 29 11:19:52 PRESC01 kibana[92260]: at Request._lifecycle (/usr/share/kibana/node_modules/hapi/lib/request.js:263:62)
Oct 29 11:19:52 PRESC01 kibana[92260]: data: null,
Oct 29 11:19:52 PRESC01 kibana[92260]: isBoom: true,
Oct 29 11:19:52 PRESC01 kibana[92260]: isServer: false,
Oct 29 11:19:52 PRESC01 kibana[92260]: output:
Oct 29 11:19:52 PRESC01 kibana[92260]: { statusCode: 404,
Oct 29 11:19:52 PRESC01 kibana[92260]: payload:
Oct 29 11:19:52 PRESC01 kibana[92260]: { statusCode: 404, error: 'Not Found', message: 'Not Found' },
Oct 29 11:19:52 PRESC01 kibana[92260]: headers:
Oct 29 11:19:52 PRESC01 kibana[92260]: { 'kbn-name': 'kibana',
Oct 29 11:19:52 PRESC01 kibana[92260]: 'kbn-xpack-sig': '37fa0a487b714a7c397e35e10c1b1322' } },
Oct 29 11:19:52 PRESC01 kibana[92260]: reformat: [Function],
Oct 29 11:19:52 PRESC01 kibana[92260]: message: 'Not Found',
Oct 29 11:19:52 PRESC01 kibana[92260]: typeof: [Function: notFound] }
Oct 29 11:19:52 PRESC01 kibana[92260]: redirecting to  /login

The WebUI briefly show this:

  JSON.parse: unexpected character at line 1 column 1 of the JSON data

Any ideas why the SIEM tab does not work?..

Here’s a screenshot from the developer tab.

Can confirm on Kibana v 7.3.2, ROR enterprise-1.18.7_es7.3.2
Same as APM app.

Do you need any logs?

Im on: ReadonlyREST Security version pro-1.18.7_es7.3.2

Thanks for the feedback guys, can you check if Elasticsearch has some FORBIDDEN log lines or anything interesting when you experience this?

Nope… literally nothing shows

I just tried with version enterprise-1.18.8-20191109_es7.3.2 using our docker image, it works well. Both in “admin” and “rw” kibana access mode.

Here’s my access_control_rules.

    - name: IT - RW ALL
      type: allow
      kibana_access: admin
      ldap_auth:
          name: "ldap1"
          groups: ["admin-group"]
      verbosity: error # don't log successful request

yeah it’s functionally the same. Can you reproduce with 1.18.8?